Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
actiopabs94
New Contributor

Fortigate firewalls... any good?

Anyone here have experience with Fortigate products? How do they compare to Checkpoint in terms of performance and reliability?We have Checkpoints currently and have been running into performance and reliability issues (particularly when the Infosec team goes crazy with their vulnerability scans, but also from DoS attacks from the web). The Fortigate salespeople claim they are the only ones in the space offloading traffic to ASICs. Is this true and does it make a difference in real life?

https://9apps.ooo/
7 REPLIES 7
emnoc
Esteemed Contributor III

FortiGate are horrible,  stay away , run ;)

 

Hey this is forum for FTNT so nobody going to tell you any thing bad . Okay here's my thoughts since I work with both platforms and almost daily or weekly

 

My opinion for OP and anybody looking at the two platforms ;

 

"none are better than the other it like saying is a toyota better than a honda "

 

 

CHKP

[ul]
  •   support is going slowly downhill, and that is from me working with their support and products for 20+ years
  •   the security manager/mds is excellent in tracing or searching objects, & it really the 1st security manager from historical , so it has improved over the course of decades. It's simple to use and laid out fairly good. They did a good job in that area.
  •   hardware is reliable even though in my day-job we have 50/50 real appliance and virtual we have not seeing any hardware failure nor have I heard of any thing failing
  •   CHKP ha-cluster and failover is just a mess, Just as bad as junos or actually worst. I have nothing   positive to say in those areas. Just expect some reboots if you actually failover anything
  •   vpn diagnose is simple and pcap generate is excellent for assistance in troubleshooting
  •   as you should know licensing in anything with regards to CHKP is a price-tag $$$$ and like clustering is a mess to manage or understand if you do not do it regularly
  •   A lot change to the security-manager system are scripts and file modification that can be intimidating ( forcepoint SMC is done in the same fashion &  by many local-host files that you have to edit )
  •    logging and analysis can be a breeze , but you need add-on to fully achieve anything in that area
  •    centralize nat table and object or a mix of the two can cause issues if you do not know what's going on
  • Also checkpoint solution documents are write probably slightly better than fortinet but  just my opinion others might disagree[/ul]

     

    FTNT

    [ul]
  •   support is fair, RMA process sucks in general. Also hand off to another engineer and the process is poor to say the least
  •   application control works and works very good
  • software upgrade are simple as 1 2 3 
  •   SDWAN is a big feature that a lot of sml to medium org are moving to, it's a strong point
  •   webGUI is good and the fortimanager if you have a wide deployments is a great management solution
  •  IDS/IDP rules management is much simple than CHKP
  •  IDS/IDP updates are also much simpler and reliable to execute
  •  clustering|failover is breeze to manage ( see my above bold complaint )
  •  DoS flood mitigation is simple , but like anything if your over--ran you will have problem. Does not matter if it a FTNT CHKP PANW JNPR , flood control is a royal PITA.
  •  NAT and VIP management is much simple also in  FTNT
  • if you have a hardware failure it's almost effortlessly to restore if you have last-saved cfg, can not say the same to CHKP-sg. You have a lot of minor steps you have todo to restore a CHKP[/ul]

     

    Summary. Both are great platform. If your looking at NSS lab you will see both are great in all areas. CHKP is still the leader or the big dog to beat,  but it comes at a price tag. I love both platform but for many many different reasons. 

     

    I would ask for a demo and run a device in a lab or test-env before committing down that path. But you can't go wrong with a fortigate.  Also CHKP is loosing market shares at a steady beat & for decades now. I stay in touch with my old fortigate partner,  and for every bid|proposal losted out to chkp, these can be count on one hand.

     

    I favor fortinet most of the time over checkpoint. Palo would be also a better platform to look but again comes with a price tag. They have improvement in a lot of areas that CHKP just does a C grade in.

     

    Ken Felix

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    FarNorthJoe
    New Contributor

    Haven't had anything to do with them in over 14 years.

    Moved to a new organisation recently and it seems the Fortigates have issue after issue with updates. It hasn't stopped, with updates breaking HA, SD-WAN and other features.

    Hoping to move to Meraki next year.

    Toshi_Esumi

    Good luck with that.

     

    Toshi

    FarNorthJoe
    New Contributor

    Thanks. Used them before and solid as a rock. Licensing costs are up there, however you get what you pay for. 

    Toshi_Esumi

    If you need only static routing, that might work and less features to possibly break.

    FarNorthJoe

    Yep. :) Rock solid.

    CatInHat
    New Contributor III

    Yes, I have experience with Fortigate products. They usually offer a good combination of performance and reliability. Unlike Checkpoint, Fortigate actually uses ASICs for high-speed network traffic processing, which can improve real-time performance, especially against DoS attacks. However, the choice between them may depend on your specific requirements and use cases. It is recommended that you thoroughly compare and test both products before making a decision.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors